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Ryan Reynolds 


• Manager, Crowe Horwath 

• Pentester 

• Twitter: @reynoldsrb 
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Jonathan Claudius 


• SpiderLabs Security Researcher, Trustwave 

• Vulnerability Research 


• Twitter: (©claudijd 
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Whafs inside? 


• Windows Hash Extraction 

• Story of What We Found 

• Windows Hash Extraction Mechanics 

• A Different Approach 

• Why Are All the Tools Broken? 

• Demo 

• Patches 
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LET'S TALK ABOUT HASHES!!! 












Goals of Getting Hashes 


• Privilege Escalation 

• Password Analysis 

• Forensics Investigations 
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Windows Password Hashes 


Two Types of Hashes: 

- LM (Lan Manager) 

• Old Hashing Algorithm w/ Security Flaws 

• Case insensitivity, Broken into 2 Components 

- NTLM (NT Lan Manager) 

• Newer Hashing Algorithm w/ Security Flaws 

• Not salted, but is case sensitive 
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Windows Password Hashes 


• Two Methods to Get Hashes: 

- Injection via LSASS 

• Reads hashes from memory 

— Registry Reading via SAM/SYSTEM 

• Reads hashes from local registry hives 
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Failed Attempt 1 


Social Engineering Engagement 

- Gained Physical Access 

- Dumped Hashes on a Bank Workstation 

Failed to Crack 

-John the Ripper 

- Rainbow Tables 
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Failed Attempt 2 


• Internal Penetration Assessment 

- Popped a Shell via Missing Patch 

- Dumped Hashes on System 

• Fail to Crack 

- Rainbow Tables (via all LM Space & French) 

- Pass the Hash (PTH) 
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Example Hashes 


• Via Registry (Metasploit) 

- LM: 

- NTLM: 


• Via Injection (PwDumpG) 

- LM:aad3b435b51404eeaad3b435b51404ee 

- NTLM: 5flbec25dd42d41183d0f450bf9bld6b 
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Bug Report 


Metasploit Framework 


Overview Activity Roadmap Issues Wiki Repository 


Bug #4402 

Hashdump script/post module breaks with passwords greater than 14 
characters 


hen using "run hashdump" or the post/windows/gather/hashdump 
odule on a Windows 2008 server with a password of l arger than 14 
haracters^ the hash that is returned is incorrect. 
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''Our Powers Combined... 




• Beers 

• Hacking 

• More Beers 
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Example Hashes 


• Via Registry (Metasploit) 

- LM: 

- NTLM: 


• Via Injection (PwDumpG) 

- LM:aad3b435b51404eeaad3b435b51404ee 

- NTLM: 5flbec25dd42d41183d0f450bf9bld6b 
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Where Do Hashes Live? 


HKLM\SAM 

- Store security information for each user ( 

) 

HKLM\SYSTEM 

- Stores the SYSKEY ("salts" the SAM information 
for security purposes) 
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What The Registry Looks Like 


• HKLM\SAM\SAM\domains\account\users\ 

- Users: 000001F4, ,.1F5, etc. 


Name 

Type 

Data 

“*** (Default) 

REG.SZ 

(value not set) 

V." F 

REG_BINARY 

02 00 01 00 00 00 00 00 8d 

'.V'- V_ 

REG.BINARY 

00 00 00 00 be 00 00 00 02 
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Whafs Inside These Values? 


For each user, we have two values... 

- "F" - Binary Data 

• Last Logon, Account Expires, Password Expiry, etc. 

- "V"- Binary Data 

• Username, , etc. 
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A Closer Look At Raw Data 


Raw Data w/ LM & NTLM Data 

..0000 0000 00000 

Raw Data w/ just NTLM Hash Data 

..00000000 0000000000000 
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Registry Extraction Tools 


Metasploit Hashdump Script 

Creddump 

Samdump2 

Cain and Able 

Pwdump7 

FGDump 3.0 

Others 
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Current Parsing Logic 

OFFSET HASH DATA 

• LM & NTLM If size > 40 bytes? 

• NTLM Else If size > 20 bytes? 

• None Else 
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THE "FLAW" 











Remember These? 


• Via Registry (Metasploit) 

- LM: 

- NTLM: 


• Via Injection (PwDumpG) 

- LM:aad3b435b51404eeaad3b435b51404ee 

- NTLM: 5flbec25dd42d41183d0f450bf9bld6b 
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The "Flaw" 


OFFSET 

HASH DATA 

DATA++ 





• LM&NTLM 

If size > 40 bytes? 



^ M~ri ^ A 




■ VI 1 V i 

IV 1 _ _ 



i-l_ 




1 ^ vy 1 1 1 

1 I-l JV- 1 

1 
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The "Flaw" 


BAD 

... oooo^^^^Hoooo^^^^Hdoooo 

. . . OOOOOOOOBbH 0000000000000 
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Root Cause? 


• How do we get "DATA++"? 


OFFSET 


HASH DATA 


DATA++ 


• By following Microsoft best practices 
— Set Password History 
- No LM Hashes 
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Raw Look at 'V' Data Structure 


HKEY_LOCAL_MACHlNE\ sain \ sam \domains\account\users\000003ed 

F REG_BINARY 0200010000000000000000000000000000000000000000001C61A42C 
0F5ACD010000000000000000A4CE64640E5ACD01ED03000001020000100200000000000002000000 
000000000000000000844400 

V REG^BINARY 00000000D400000002000100D40000000A00000000000000E0000000 
OAOOOOOOOOOOOOOOECOOOOOOOOOOOOOOOOOOOOOOECOOOOOOOOOOOOOOOOOOOOOOECOOOOOOOOOOOOOO 
OOOOOOOOECOOOOOOOOOOOOOOOOOOOOOOECOOOOOOOOOOOOOOOOOOOOOOECOOOOOOOOOOOOOOOOOOOOOO 
EC0000000000000000000000EC0000000000000000000000EC00000015000000A800000004010000 
08000000010000000C01000014000000000000002001000014000000000000003401000094000000 
00000000C8010000840000000000000001001480B4000000C4000000140000004400000002003000 
0200000002C014004400050101010000000000010000000002C01400FFFF1F000101000000000005 


LM HASH DATA 


lOOOOOOOOOOOlOOOOC 
70F00010200000000C 
9U)1462235F636B07E531i 
0000000005200000002002000074008 


NT HASH DATA 



I 


00740032000000 


070000000200700004000000 
01020000000000052000000C 
000024004400020001050000^ 

000000052000000020020000 

74006500730074003200 01^(#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5^PrFFFF5B3E 6 801020000 
07000000010001009AC4l2C7DA10C788963DF9DF7E6B5EF401000100B(iFD8B04845B3E6836EC62ED 
D3EC84CA0100010015F478C0D71D99AB56AB61F0921DE0EF9C21D096BE07202EDF579D32EF31DF17 
8E47CFC180A85D50451D^e«^^B89F3E81DC94989A51D23610F8669762EBFD5DF73B40F40B95683 

.:^^l^.poj_Q^Q4^27677A52621BA0A5AFB8CAA34AC3DFCDA8054B9395 


DATA++ 


0181584F4E2D0652C0100010030077263 

3843488CD968264658858D5560A2047DB 


14CD7E8A51840220C7E1AF65C0865CTJ1 
8DEB345851FF5B0CCA0123BB9B5C279A 
06FC11269C826D74BlEA6ClF2B6293F99Jl:!UJbUUbb2Ub2AlC091EDDC0C054E6A47881065C4F38C5C 
P888781246B88769BCE6E08E3ADBC06193EF250EC43775C8A5AE558A44F87484AED9BE0B73464DCD 
A257CC67 
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How often does this occur? 


• Newer OS's do not store LM 

- Windows Vista and newer 

- LM can be disabled by a proactive Sysadmin 

• Password histories set through GPO 
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In an ideal world... 


We would want... 

- LM Exists? 

- NTLM Exists? 

- Parse correct hash data 100% of the time 
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Raw Look at 'V' Data Structure 


HKEY_LOCAL_MACKINE\ aaffiX SAffiV domains\account\uscrs\000003cd 

F REG_BINARY 0200010000000000000000000000000000000000000000001C61A42C 

0 F 5 AC D010 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0A 4 C E 6 4 0 0 010 2 0 0 00 0 2 0 0 0 0 0 0 

000000000000000000844400 

V REG_BINARY 00000 0H9yUBjUBlK00D4 0000 oHkUUajUalHDOEOOOOO 00 

0 A0 0 0 0 0 0 0 0 0 0 0 0 0 0E C0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 

OOOOOOOOECOOOOOOOOOOOOOOOOOOOOpicOOOOOOOOOOOOOOOOOOOOQI^PDOOOOOOOOOOOOOOOOOOOOO 
EC0000000000000000000000EC00>^0000000000000000EC00Qjl€^15000000A800000004010000 
08000000010000000C01000014000000000000002001000014000000000000003401000094000000 
00000000C801000084000000000000000100148034000000C4000000140000004400000002003000 
Q200000002C0140Q44000501Q101000000000003^0QOOOQ002C01400FFFF1 F0001Q:OOQOOOOQ0005 
070000000200700004000000fl|ip|||KH||Bl0000000000010000(( 
01020000000000052000000oHimujffi||l!&||jS70F00010200000000(| 
000024004400020001050000^^^P^^^^^MIbl462235F636307E5il 

000000052000000020020000^^R?OOOOOOOOOS200000002002000074006|P^00740032000000 
74006500730074003200q^(#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFg^FFFFF5B3E6801020000 
0700 0000010001009AC4nc7DAlOC788 96 3DF9DF7E6B5EF40 10001 003 JJfd 8304845B3E6836EC62ED 
D3EC84CA0 1000100 15F478COD71D99A356A361F0921DEOEF9C21D0963E07202EDF579D32EF31DF17 
8E47CFC180A85D5045lD^^S^73pB89F3E8lDC94989A5lD23610F8669762E3FD5DF73B40F40B95683 
5E95719E0Cl8D4B27CAC2754atii^^D8 18C34C27677A5262 1BAOA5AF38CAA34AC3DFCDA805439395 
14CD7E8A51840220C7ElAF65C0865^^^HHII||^Bl81584F4E2D0652C0100010030077263 
8DEB34585lFF5B0CCA0123BB935C279A^^^^^^^^^H84 34 88CD9682646S8858O5560A204 7OE 
06FCll269C826D7431EA6ClF236293F9flHHHHIIIIIRc09lEDDC0C054E6A4 7881065C4F38C5C 
F8887812463887693CE6E08E3ADBC06193EF250EC43775C8A5AE558A44F87484AED9BE0373464DCD 
ft257CC67 


NT HASH DATA 
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A Different Approach 


• "V" hash 4 byte headers for LM & NTLN 

- 0x4 (4 bytes) = Hash Not Present (false) 

- 0x14 (20 bytes) = Hash Present (true) 

• No more guessing! 
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A Different Approach 

OFFSET HASH DATA DATA++ 

• LM & NTLM If LM.exists? && NTLM.exists? 

• NTLM 

• None 

black 


Else If NTLM.exists? 
Else 
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A Different Approach 


BAD LOGIC 

.. .oooo^^^^|oooo^^^^|ooooo. 

. . .00000000B3BE M^OOOOOOOOOO . 


GOOD LOGIC 

. . nnnn ^Ufffl nnnn^^^^Mnnnnn 












WHY ARE ALL THE TOOLS BROKEN? 












Who's Patient Zero? 
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Tool Timeline 


Pwdump V. 1 


3/24/1997 


FGDump 
V. 3.0 


Cain & Abel 
V. 2.7.4 


Creddump 


V. 0.1 


Pwdump7 


V. 7.1 


Samdump2 
V. 1.0.1 


MSF 

Hashdump 


3/28/04 7/9/05 12/30/09 11/9/11 

2/20/08 3/10/10 
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Take Away 


• Reverse engineering is hard 

- Exhaustive testing is time consuming 

• Leveraging code is helpful 

- Fully reusing code is not always good 

• Open source let's others learn and help fix! 
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Patches 


Creddump 

Yes 

Metasploit’s Hashdump Script 
LOphtcrack 

Yes 

Working with Author(s) 

PwdumpZ 

Working with Author(s) 

FGDump 3.0 

Working with Author(s) 

Samdump2 

Fixed in v 1.1.1 

Cain & Abel 

Working with Author(s) 

















